Had a bit of an issue today at a customer site while trying to extend schema for SCCM. The environment was on Windows 2000 Active Directory so the ExtAdSch.exe tool could not be run directly on the DC. Since the SCCM server was running Windows Server 2003, i ran the tool from there.
Logged on as Administrator (member of Schema Admins) but the schema extension failed. checking the logs and there was a skew of 'Failed to create attribute... Error code = 8206'
Looking around I saw some help from Wei King's blog post.
Failed to create attribute cn=. Error code = 8206.
If you get this error while trying to extend your schema for Configuration Manager 2007, it may be because your account may not have enough privileges to do so...yes even if you are the administrator (check the C:\ExtADSch.log). To do this, make sure you have your schmmgmt.dll registered before you can add this console into MMC. Once opened, add the Active Directory Schema console into your MMC. From there assign the account you are using to have rights to update the schema.
When trying this, I had an issue where I could not modify the permissions on the AD Schema snap-in. This was on a Windows 2000 DC. I realized that for this, I needed to do a Right-click --> Operations Master... and select the option for 'Schema may be modified on this Domain Controller'. But after assigning explicit permissions to the Administrator account, the ExtendAd Schema still failed with the same error.
After checking AD, I noticed that there were a few orphaned domain controllers still sitting in AD. After using the ntdsutil tool to remove the DCs from AD and clearing the replication topology, the ExtendAD Schema worked successfully!! Which leaves me to assume that the AD had replication sync errors which prevented it from updating schema.
No comments:
Post a Comment